ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamy_5.4.0.1/50/sec/secdintx.htm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">

<title>Example: Trust association interceptor</title>
</head>

<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>

<h4><a name="secdintx"></a>Example: Trust association interceptor</h4>

<p>If you are using a third party reverse proxy server other than Tivoli WebSEAL product, you must provide an implementation class for the trust association interceptor interface for your proxy server.</p>

<p><strong>Using the TrustAssociation Interceptor interface</strong></p>

<p>WebSphere Application Server - Express provides the interceptor Java interface, <a href="../program/apidocs/ae/com/ibm/websphere/security/TrustAssociationInterceptor.html">com.ibm.websphere.security.TrustAssociationInterceptor</a> <img src="api.gif" width="18" height="15" align="absbottom" alt="Go to API documentation">, which defines the following methods:</p>

<ul>
<li>public boolean isTargetInterceptor (HttpServletRequest req) throws WebTrustAssociationException;</li>
<li>public void validateEstablishedTrust (HttpServletRequest req) throws WebTrustAssociationException;</li>
<li>public string getAuthenticatedUsername (HttpServletRequest req) throws WebTrustAssociationException;</li>
</ul> 

<p>The isTargetInterceptor method is used to determine whether the request originated with the proxy server associated with the Interceptor. The implementation code must examine the incoming request object and determine if the proxy server forwarding the request is a valid proxy server for this interceptor. The result of this method determines whether the interceptor processes the request or not.</p>

<p>The validateEstablishedTrust method determines if the proxy server from which the request originated is trusted or not. This method is called after the isTargetInterceptor method. The implementation code must authenticate the proxy server. The authentication mechanism is proxy server specific. For example, in the WebSphere provided implementation for the WebSEAL server, this method retrieves the basic authentication from the HTTP header and validates the information against the user registry used by the product. If the credentials are invalid then the code throws the WebTrustAssociationException exception, indicating that the proxy server is not trusted and the request is to be denied.</p>

<p>The getAuthenticatedUsername method is called after trust has been established between the proxy server and the product. WebSphere Application Server - Express has accepted the proxy server's authentication of the request and must now authorize the request. To authorize the request, the name of the original requestor must be subjected to an authorization policy to determine if the requestor has the necessary privilege. The implementation code for this method must extract the user name from the HTTP request header and determine if that user is entitled to the requested resource. For example, in the WebSphere provided implementation for the WebSEAL server, the method looks for an iv-user attribute in the HTTP request header and extracts the user ID associated with it for authorization.</p>

<p>After the interceptor class has been created, WebSphere Application Server - Express must be configured to use it by providing the following properties.</p>

<p>Perform these steps in the WebSphere administrative console:</p>

<ol>
<li>Start the WebSphere administrative console.</li>
<li>Expand <strong>Security</strong> --&gt; <strong>Authentication Mechanisms</strong>, and click <strong>LTPA</strong>.</li>
<li>Click <strong>Trust Association</strong>.</li>
<li>Check <strong>Enable Trust Association</strong>, and then click <strong>Interceptors</strong>.</li>
<li>If you are using WebSEAL Interceptor, check <strong>com.ibm.ws.security.web.WebSEALTrustAssociationInterceptor</strong>. Otherwise, click <strong>New</strong> to add your interceptors. WebSphere Application Server - Express uses the classpath on the server to look for the implementation class. For each interceptor that you add, click <strong>Additional Properties</strong> to enter the property name and value pairs. Check <strong>Required</strong> for each property.</li>
</ol>

<p>The properties and values for intercepters are these (where <em>proxy</em> is the name of your proxy server):</p>

<ul>
<li><p><strong>com.ibm.websphere.security.trustassociation.types</strong>
<br>Establish a name for your proxy. For example, if you call your proxy server <tt>myProxy</tt>, then set the property as follows: <tt>com.ibm.websphere.security.trustassociation.types=myproxy</tt>.</p></li>

<li><p><strong>com.ibm.websphere.security.<em>proxy</em>.hostnames</strong>
<br>The value for this property is the hostname of the machine where the proxy server is running.</p></li>

<li><p><strong>com.ibm.websphere.security.<em>proxy</em>.loginId</strong>
<br>The value of this property is the proxy server ID.</p></li>

<li><p><strong>com.ibm.websphere.security.<em>proxy</em>.Id</strong>
<br>The value of this property is a special header field that is sent by the proxy server with the request to WebSphere Application Server - Express.</p></li>

<li><p><strong>com.ibm.websphere.security.<em>proxy</em>.ports</strong>
<br>This is the port where your proxy server receives the user requests. You can have a different port number depending on your proxy server's configuration.</p></li>
</ul>

<p>Specific name and value pairs for WebSEAL are as follows:</p>
<ul>
<li>com.ibm.websphere.security.trustassociation.types=webseal</li>
<li>com.ibm.websphere.security.webseal.id=iv-user</li>
<li>com.ibm.websphere.security.webseal.ports=443</li>
</ul>

<p><strong>Note:</strong> You may have a different port number depending on your WebSEAL configuration.</p>

</body>
</html>